NSX domain authentication fails for newly added user groups, while existing users continue to log in without issue. Users attempting to access the environment encounter authorization failures.

When reviewing the NSX Manager logs located at /var/log/proton/nsxapi.log, the following error is recorded:

2026-03-05T13:37:00.669Z ERROR <REDACTED_IP> UserInfoUtil <REDACTED_ID> SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP401" level="ERROR" subcomp="manager"] User <REDACTED_USER> with groups [<REDACTED_GROUP>] and incoming roles null is not authorized to access API with rbac_feature utilities_backup having required_permission read.

VMware NSX 4.2.x

While the user successfully authenticates against the LDAP directory, the authorization phase fails. This occurs because the identified user group has not been mapped to a valid Role-Based Access Control (RBAC) role within the NSX Manager. Because there is no mapping, NSX registers "null" incoming roles during the handshake and denies API/UI access.

To resolve this issue, assign an appropriate RBAC role to the affected LDAP group within NSX Manager:

1. Log in to the NSX Manager UI using an account with Enterprise Administrator privileges.

2. Navigate to System > User Management > User Role Assignment.

3. Verify that the LDAP Identity Source is correctly configured with the primary domain and any necessary alternative domains to match the users' UserPrincipalName (UPN) suffixes.

4. Click Add > Role Assignment for LDAP.

5. Search for the specific user group (e.g., <REDACTED_GROUP>).

6. Assign the appropriate Role (e.g., Enterprise Admin, Network Admin, or Auditor) to the group based on your organizational requirements.

7. Save the configuration.

8. Have a user from the affected group attempt to log in to verify that they can now successfully authenticate and access the NSX API/UI.